Recently, NACHA updated its ACH rules around data security. As an ACH Originator, your business is responsible for meeting these requirements. Following the guidelines below will help you stay compliant and protect your organization from fraud.
Protect ACH Data at Every Stage
Make sure any ACH-related information is collected, stored, transmitted, and destroyed securely.
Create and maintain a security or privacy policy that specifically addresses ACH activity.
Store sensitive information properly:
Shred paper documents when no longer needed.
Erase or wipe electronic documents before disposal.
Keep sensitive paperwork locked in drawers or cabinets.
Secure all devices (desktops, laptops, mobile devices) with updated anti-virus, anti-malware/spyware, and encryption tools.
Use Strong Passwords and Safeguard Access
Passwords play a key role in securing protected information.
Never keep default, vendor-provided passwords as you should always change them immediately.
Use strong, unique passwords or passphrases for each user.
Avoid sharing passwords with co-workers.
Update passwords regularly and use password-activated screen savers.
Keep all passwords confidential and stored securely.
Guard Against Intrusion
Ensure your systems are protected from outside threats.
Limit computer usage to business purposes only.
Use firewalls and updated anti-virus/spyware software.
Disable unnecessary ports, services, or devices.
Set automatic logouts after periods of inactivity.
Encrypt data when it’s stored or moved.
Install software updates promptly.
Log off devices when they are not in use.
Restrict and Monitor Access
Only give employees access to protected information when necessary.
Reduce the number of locations where sensitive data is stored.
Review employee access regularly, including access to server rooms.
Be cautious when mailing protected information.
Avoid storing sensitive information on portable devices.
Transmit data online only through secure, encrypted sessions.
Establish an Internet Acceptable Use Policy.
Train and Educate Staff
Your first line of defense, but also the weakest link, are your employees.
Keep sensitive information secure at all times.
Mask sensitive data in emails, phone conversations, and mail.
Ensure employees understand your security policy.
Teach staff how to identify phishing attempts and suspicious communication.
Notify employees immediately if a potential security issue arises.
